8 Cybersecurity Concerns for Nonprofits & How to Address Them

A photo of Kadian Douglas, a Black woman of Dominican descent wearing a grey suit and red blouse, featured in front of a blurred background of computers at a desk
Kadian Douglas

Nonprofit organizations face unique challenges when it comes to cybersecurity. Limited budgets, lack of dedicated IT staff, and the ever-evolving nature of cyber threats can make it difficult to stay protected. We recently asked nonprofit leaders about their top cybersecurity concerns. They expressed eight challenges that we’ll address by offering best practices to overcome them.

8 Cybersecurity Concerns & Solutions for Nonprofit Leaders

1. Lack of Knowledge Around Identifying Phishing Scams

"A lack of knowledge or understanding around how to identify a phishing email or phishing scam and then revealing company information."

Phishing scams remain one of the most common ways cybercriminals target organizations, and nonprofits are no exception. Training staff to recognize phishing emails is essential.

How to Address This Challenge: Nonprofits should regularly conduct cybersecurity awareness training. Provide examples of phishing emails and red flags for your staff and volunteers to look for, such as suspicious sender addresses, grammatical errors, or unexpected attachments and links. Implementing email security solutions that filter out phishing attempts and using multi-factor authentication (MFA) adds an extra layer of protection. Regular simulations of phishing attacks can also help employees recognize real-world scenarios.

2. Breaches Through Third-Party Vendors

"The biggest concern facing nonprofits and cybersecurity is breaches through third-party vendors."

Third-party vendors can introduce significant vulnerabilities if they don’t maintain strong security practices. Nonprofits often rely on external vendors for services like payment processing, website management, and cloud storage.

How to Address This Challenge: To reduce risk, nonprofits must vet third-party vendors carefully. Ensure vendors follow industry-standard security practices, such as encryption and regular security audits. Implement vendor risk management policies, which include reviewing vendor contracts, requiring cybersecurity certifications (like ISO 27001), and regularly monitoring their security posture. Nonprofits should also consider contractual obligations to notify of breaches and periodically reassess vendor security measures.

3. The Impact of Artificial Intelligence on Nonprofit Work

"My biggest concern is AI and how artificial intelligence will impact the work our nonprofits are doing."

AI presents both opportunities and risks for nonprofits. While AI can streamline operations and provide insights, it can also be used maliciously in cyberattacks, such as creating more sophisticated phishing scams or automating breaches.

How to Address This Challenge: Stay informed about the ethical use of AI and the potential risks associated with it. This means ensuring that any AI systems you adopt are secure by design and are subject to regular risk assessments. Cybersecurity tools powered by AI, such as advanced threat detection systems, can also be used to bolster defenses.

4. Phishing Scams Leading to Revenue Loss

"Nonprofit staff can fall victim to phishing scams, resulting in a loss of revenue for the nonprofit that is often already strapped."

Financial losses due to phishing scams can be especially devastating for nonprofits, where every dollar counts.

How to Address This Challenge: In addition to training, nonprofits should establish clear reporting procedures for staff who suspect phishing attempts. Setting up role-based access controls ensures that sensitive financial data is only accessible to those who need it. Implement payment verification processes, such as requiring verbal confirmation for large transactions to prevent fraudulent wire transfers.

5. Unauthorized Access to Sensitive Data

"My top concern would be that bad actors access sensitive data they shouldn't be accessing."

Nonprofits often manage sensitive data, such as donor information, financial records, and personal client data. Unauthorized access can lead to severe consequences, including reputational damage.

How to Address This Challenge: To protect sensitive data, nonprofits should enforce strong access controls and regularly audit who has access to sensitive information. Encryption of sensitive data, both at rest and in transit, is essential. Implementing data loss prevention (DLP) solutions can help monitor and control data access and transfer. Additionally, nonprofits should invest in comprehensive incident response plans to react swiftly if a breach occurs.

6. System Hacking and Exploitation of Confidential Information

"I was consulting for an organization, and we found out that all our systems had been hacked. It took months to recover and protect confidential information."

Extended downtime and the loss of sensitive data can severely impact nonprofit operations and undermine trust with stakeholders.

How to Address This Challenge: Invest in disaster recovery and business continuity planning. Regularly backing up systems and storing them in secure, off-site locations ensures that recovery from ransomware or other attacks can happen quickly. Implementing endpoint detection and response (EDR) tools can help identify and isolate malicious activities before they escalate. Additionally, nonprofits must have a robust incident response team ready to act immediately in the event of a breach.

7. Outsourcing IT and Maintaining Accountability

"[Nonprofits] often outsource their IT but don't realize they are still responsible for cybersecurity measures like penetration testing and vulnerability scanning."

Outsourcing IT can be a double-edged sword for nonprofits. While it can help reduce costs, it doesn’t remove the responsibility of maintaining security.

How to Address This Challenge: Maintain oversight and accountability over your IT operations, even when outsourced. This means ensuring your vendors are regularly conducting penetration testing and vulnerability assessments. When working with an external IT provider, nonprofits should clearly define service-level agreements (SLAs) that cover cybersecurity responsibilities. Regular audits and status reports from the vendor should be required.

8. Downtime and Operational Disruption

"The biggest concern for my foundation is the downtime that occurs if someone takes over our system. The cost of that downtime is significant."

Operational downtime can disrupt essential services and result in lost revenue or missed opportunities for nonprofits.

How to Address This Challenge: To minimize downtime, nonprofits need to implement redundant systems and cloud-based solutions that allow operations to continue even during a cybersecurity incident. Regular system backups and business continuity plans should be implemented to ensure that critical functions can be restored as quickly as possible. Assessing these plans periodically ensures they are effective when needed most.

Taking Action to Secure Your Nonprofit

As the cybersecurity landscape evolves, nonprofits must remain proactive in their defense strategies. Whether it’s training staff to spot phishing attempts, securing sensitive data, or managing third-party risks, every nonprofit must tailor its cybersecurity efforts to meet its specific challenges. By addressing these concerns head-on, nonprofits can protect their operations, data, and the communities they serve.

If your nonprofit hasn’t yet developed a comprehensive cybersecurity plan, now is the time to do so. By fostering a culture of awareness and preparedness, you can safeguard your organization against the growing threats in today’s digital world.

READ NEXT: A Best Practice Guide to Cybersecurity for Nonprofits

Join our weekly e-newsletter to get exclusive tips, tools and trainings.

Share This Story:

Kadian Douglas

M.Ed., CPA, CISA

Kadian Douglas is the Managing Partner at Douglas CPA & Consulting, LLC. She supports clients with information security assessments, IT governance assessments, enterprise-wide IT risk assessments, compliance audit services, IT general and application controls and data privacy. Kadian has expertise in a wide range of industries, including the nonprofit sector.

WATCH: Nonprofit Compliance: What You Need to Know & Do Now

Nonprofit Support for Hurricane Recovery

A Best Practice Guide to Cybersecurity for Nonprofits